Back to plugin

Security audit

OpenClaw A2A Plugin

Security checks across malware telemetry and agentic risk

Overview

This plugin appears to do what it says: it lets OpenClaw agents exchange A2A messages using disclosed authentication, network routes, and local state storage.

Install only if you intend to expose or contact A2A peers. Keep Passport/NEAR credentials in secrets files or environment variables, require JWT or API-key auth for public endpoints, avoid allowUnauthenticated on the open internet, and enable tlsSkipVerify only for trusted development setups.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/auth/rodit-outbound-credentials.js:6
Evidence
privateKey: "[REDACTED]",

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
dist/outbound/tls-fetch.js:16
Evidence
rejectUnauthorized: false,